New Life Recovery

Information Security Policy

Business Name: New Life Recovery Coach

Effective Date: 02/01/2025

Reviewed: 08/31/2025

1. Purpose

This policy establishes how New Life Recovery Coach, LLC ensures the security and privacy of information it collects, stores, and transmits—especially cardholder data and personally identifiable information (PII)—in compliance with PCI-DSS Requirement 12

2. Scope

This policy applies to:

  • All systems, services, and software used to process or store customer information (e.g., One Step Recovery, PaySimple, PayPal).
  • All customer, client, and vendor data collected in the course of business operations.
  • The owner/operator of the business.

3. Data Security Responsibilities

a. Owner/Operator Responsibilities

As the sole operator, I am responsible for:

  • Ensuring secure use of Payment platforms
  • Following secure login procedures (unique username/password, MFA when available).
  • Never storing credit card data in plain text or on local devices.
  • Only accessing online payment platforms through secure, encrypted (HTTPS) connections.
  • Regularly updating passwords (at least every 90 days).

b. Device & Network Security

  • Devices used for business (phone, laptop, tablet) must be:
    • Password-protected
    • Kept up to date with security patches
    • Protected by antivirus or endpoint protection software
  • Public Wi-Fi must not be used to access sensitive information unless using a trusted VPN.

4. Privacy Policy

a. Data Collection

Only essential customer data is collected for billing and service purposes, including:

  • Name
  • Contact information
  • Payment details that are processed securely

b. Data Usage

Customer data is used only for:

  • Billing
  • Contact and communication
  • Service management

c. Data Sharing

Customer data is never sold or shared with third parties, except:

  • As required by law
  • To authorized service providers for processing transactions

d. Data Retention

  • Data is retained only as long as needed for business or legal purposes.
  • Old records are deleted or securely archived following data protection standards.

5. Access Controls

  • Only the owner/operator has access to customer and payment information.
  • No unauthorized personnel are given access to any system that handles sensitive data.

6. Incident Response Plan

If any breach or suspicious activity is detected:

  1. Access to systems will be immediately suspended.
  2. PaySimple and One Step Recovery or any other payment platform support will be notified.
  3. Customers affected will be contacted as appropriate.
  4. Incident details will be documented, and corrective actions will be taken.

7. Policy Review

This policy will be reviewed annually or after any major system, software, or process change.